The USB Keys in the Urinal

Sometimes it's the people on the inside, not the outside, who unwittingly present the biggest security threat.

Security is a major obsession today, particularly as the industry makes the shift from traditional, standalone devices to the design of connected, networked systems that are “always on.”

But sometimes it's the people on the inside, not the outside, who unwittingly present the biggest security threat.

I am a Certified Ethical Hacker, which basically means I get paid by companies to hack into their networks. My company, Digital Locksmiths, was hired by a manufacturing firm in 2011 to attempt to expose any security weaknesses that might be lurking in the ether.

A company’s external infrastructure -- including web servers, domain name servers, email servers, VPN access points, perimeter firewalls, and any other applications publicly accessible from the Internet -- is typically considered the primary target of security attacks. So that’s where we start.

Our methods include cracking passwords and eavesdropping as well as using keystroke loggers, sniffers, denial-of-service, and remote controls. In this case, I tried attacking the firewall systems with every trick in our digital lock picker’s toolkit, but to no avail: The network was locked tight, so to speak.

So I told myself, “Screw it. I’m going in.”

You see, companies with an impenetrable wall against external attacks are often surprisingly open to insider threats. Hackers are able to expose these vulnerabilities by exploiting one simple fact: Most people will respond in a highly predictable way to a particular situation.

First, I did a little recon on Google Earth and Street View to familiarize myself with the physical perimeter of the company’s building and grounds. Since the character I was playing that day was “me,” the walking stereotype of a friendly, guy-next-door, I put on my usual garb: a pair of good jeans and a button-down shirt.

I hopped into my truck and drove over to the facility. Doing my best to look sheepish, I walked into the front lobby and approached the receptionist: “This is really embarrassing, and I don’t usually ask for this type of favor, but I wonder if I could use your washroom? I knew I’d regret ordering that super-sized drink!”

She smiled -- always a good sign -- and buzzed me in. Once I was inside the men’s room and confirmed it was unoccupied, I quickly yanked two USB keys out of my pocket and dropped one on top of the metal toilet paper holder in each stall. I gave myself a thumbs-up in the mirror, strolled back to the lobby, and flashed the receptionist a big smile as I walked out the door.

I drove back to my office and sat down in front of my computer to wait. I knew that as soon as someone plugged one of my USBs into a computer, a program on the flash drive would auto-run and execute a remote connection to my computer.

This would give me instant access and the ability to "pass the hash." Note that I’m not talking about the good ol’ college days here; what I'm doing is taking the encrypted credentials for the computer’s owner and passing them to the company’s own server, mimicking a real and normal login.

In a short time, my computer sprang to life: With the ability now to log into the company’s network, I was poised to unleash all kinds of mayhem -- from extracting user names and passwords to opening and interacting with files on the compromised system, to taking screenshots of current activity on a user’s desktop.

Needless to say, company management was horrified to learn how easily I had hacked into their system, simply by exploiting the fact that people tend to react the same way in certain situations.

My "Big Gulp" ruse was a success because, by and large, people are inclined to be helpful. And it’s true -- curiosity does kill the cat. Nine times out of ten a person who finds a random USB stick will wonder what’s on the thing and plug it in to find out.

In fact, my backup plan should my men’s-room story have failed was to toss it in the parking lot in a prominent locale.

This episode underscores the fact that security involves more than just protection of a company's network firewall. Internal threats are real -- and they aren’t all necessarily the work of a disgruntled employee.

Employees need to understand that security threats can be triggered in numerous ways and trained on how to protect against possible security threats that may be masquerading as something perfectly innocuous -- like the guy next door. A simple policy like mandating only one type of USB device for internal use might have prevented me from gaining accessing to the network in this case.

Companies also need to recognize when they have a problem -- and the sooner they know, the better their chances of minimizing the harm done. The good news is that most enterprises have an enormous amount of data scattered throughout firewall, application, router, and log sources that is useful for determining what sorts of things are going on within their networks. The bad news is that all too few know how to aggregate and put that data to use.

Security professionals need to put in place the technologies and processes that afford them access to security logs along with some type of log management to extract the information required to keep the infrastructure secure.

Better yet, they can employ a Security Information Event Manager (SIEM) for grabbing and correlating data, as well as a process to integrate security data with identity and access information. That way, in our hacking incident, a number of alerts would have been fired off to security managers long before any proprietary data was accessed.

While it’s true that security threats have become more menacing, remember that security defenses also have become more powerful.

— Terry Cutler is a Certified Ethical Hacker and co-founder of Digital Locksmiths Inc., an IT security and data defense firm based in Montreal. He serves as the company's Chief Technology Officer. He specializes in the anticipation, recognition, and prevention of security breaches.

It's kind of old and rather useless aproach by now.
Autorun is not enabled in modern Windows ( XP is officially out ), and if they would all use MacOS or Linux , it wouldn't work at all.
The real problem is that security is always in a way of getting things done.
Compare it with air travel - in old days I could walk into airport 10 min before take off and still make it. Unthinkable by modern standards.
There is always compromise between how secure system is and how much work is expected to be done. You just found that compromise and exploit it.